[Cryptography] Crypto best practices
Jerry Leichter
leichter at lrw.com
Tue Mar 21 16:09:29 EDT 2017
> Going by such a strict requirement, then of course - in order to completely prevent any leakage of which ranges of plaintext blocks that are identical across different encryptions under the same key+IV, then the change of any plaintext bit must also change the full ciphertext. (I believe that's also called an "all-or-nothing transform", where any change anywhere must modify all ciphertext bits, not just make a local change.)
Are we talking about *theoretical* security or *practical* security?
If it's *theoretical* security, it seems silly to be concentrating on lapses that generate the same IV twice. How about easily guessed keys? Or many other practical lapses?
If it's *practical* security, combining the user's offered IV with the time, to as high a precision as you can get it, pretty much eliminates the *practical* issue of IV reuse. (Note that you don't need a very sophisticated combiner, but XOR is likely a bad idea as some bright user may decide to himself use the high-precision time as a quick way to generate a "unique" IV.)
Of course none if this helps if you are using a mode that requires an *unpredictable* IV, not just a *unique* IV.
-- Jerry
More information about the cryptography
mailing list